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A SHORTENED STATUTORY PERIOD FOR REPLY IS SET TO EXPIRE 3 MONTH(S) OR THIRTY (30) DAYS, 
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Status 
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2a)S This action is FINAL. 2b)D This action is non-final. 

3) D Since this application is in condition for allowance except for formal matters, prosecution as to the merits is 

closed in accordance with the practice under Ex parte Quay/e, 1935 CD. 11, 453 O.G. 213. 
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4) E3 Claim(s) 1-40 is/are pending in the application. 
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5) D Claim(s) is/are allowed. 

6) S Claim(s) 1-7,18-21 and 25-38 is/are rejected. 
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8) D Claim(s) are subject to restriction and/or election requirement. 

Application Papers 

9) D The specification is objected to by the Examiner. 

10) ^ The drawing(s) filed on 31 January 2002 is/are: a)H accepted or b)D objected to by the Examiner. 

Applicant may not request that any objection to the drawing(s) be held in abeyance. See 37 CFR 1.85(a). 
Replacement drawing sheet(s) including the correction is required if the drawing(s) is objected to. See 37 CFR 1.121(d). 
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1 2) D Acknowledgment is made of a claim for foreign priority under 35 U.S.C. § 1 1 9(a)-(d) or (f). 
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application from the International Bureau (PCT Rule 17.2(a)). 
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DETAILED ACTION 
Response to Arguments 

1 . The Applicant's arguments regarding Claim 7 are not persuasive. As Maloney 
discloses the monitoring of network packets(see Col 8 In 27-40) and producing a 
graph and correlates between historical graph(see Col 6 Ln 65- Col 7 Ln 19), 
where he discloses the generation of many graphs and correlating of each of 
them based on history and patterns. 

2. The Applicant's arguments regarding Claim 22 are persuasive and the rejection 
has been withdrawn. 

3. The Applicant's arguments regarding Claim 1 are not persuasive. As Maloney 
discloses the filtering of network traffic based on characterization process see 
Col 8 Ln 27-40. And the Gleichauf reference shows it monitoring device 
positioned between data center and network see Fig. 2 item 14. And further the 
thwarting of denial of service attacks based on a threshold see Col 8 Ln 58- Col 9 
Ln 2. In response to applicant's argument that there is no suggestion to combine 
the references, the examiner recognizes that obviousness can only be 
established by combining or modifying the teachings of the prior art to produce 
the claimed invention where there is some teaching, suggestion, or motivation to 
do so found either in the references themselves or in the knowledge generally 
available to one of ordinary skill in the art. See In re Fine, 837 F.2d 1071 , 5 
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USPQ2d 1596 (Fed. Cir. 1988)and In re Jones, 958 F.2d 347, 21 USPQ2d 1941 
(Fed. Cir. 1992). In this case the combination of network traffic detection of 
Maloney and the use of threshold value to detect denial of service attacks. 



4. The Applicant's arguments regarding Claim 25 are not persuasive. As Maloney 
discloses the activation of filters(after installation) see Col 8 Ln 27-40. 

Response to Amendment 
Claim Rejections - 35 USC § 102 

5. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that 
form the basis for the rejections under this section made in this Office action: 

6. A person shall be entitled to a patent unless - 

7. (e) the invention was described in (1 ) an application for patent, published under section 1 22(b), by 
another filed in the United States before the invention by the applicant for patent or (2) a patent 
granted on an application for patent by another filed in the United States before the invention by the 
applicant for patent, except that an international application filed under the treaty defined in section 
351(a) shall have the effects for purposes of this subsection of an application filed in the United States 
only if the international application designated the United States and was published under Article 21(2) 
of such treaty in the English language. 

8: Claim 7, 21-22 rejected under 35 U.S.C. 102(e) as being anticipated by U.S. 
Patent 6,304,262 B1 to Maloney et al. (hereinafter Maloney). 

9. Regarding Claim 7, 21 , Maloney discloses the building of graph and the 
classifying of the attack see Col 10 Ln 37-45 & Col 6 Ln 64-Col 7 Ln 6. 
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10. Regarding Claim 22, Maloney discloses the vector-based correlation process 
that correlates suspicious parameters and determines existence of correlations of 
those parameters that can point to types of attacks and reduce dropping 
legitimate traffic see Col 6 Ln 63-Col 7 Ln 1 1 . 

Claim Rejections - 35 USC § 103 

1 1 .The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

a. A patent may not be obtained though the invention is not identically disclosed or described as 
set forth in section 1 02 of this title, if the differences between the subject matter sought to be 
patented and the prior art are such that the subject matter as a whole would have been 
obvious at the time the invention was made to a person having ordinary skill in the art to which 
said subject matter pertains. Patentability shall not be negatived by the manner in which the 
invention was made. 

12. Claim 1-6, 18-20, 22, 28-37 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over U.S. Patent 6,301 ,668 B1 to Gleichauf et al. (hereinafter 
Gleichauf) in view of U.S. Patent 6,304,262 B1 to Maloney et al. (hereinafter 
Maloney). 

1 3. Regarding Claim 1 , Gleichauf discloses a detection process to determine to if 
the parameter has exceeded normal values see Col 8 Ln 46- Col 9 Ln 3; the 
filtering process based on the characteristic and being incorporated in a firewall, 
router, and ID system see Col 1 Ln 22-31 & Col 4 Ln 33-39. Gleichauf does not 
disclose a process of building an graph to and to classify the attack. However, 
Maloney discloses the building of graph and the classifying of the attack see Col 



Application/Control Number: 10/066,232 Page 5 

Art Unit: 2132 

10 Ln 37-45. It would be obvious to one having ordinary skill in the art at the time 
of the invention to include the building of graph and the classifying of the attack in 
the invention of Gleichauf in order to allow the systems administrator to take 
appropriate measures as taught in Maloney see Col 7 Ln 40-Col 8 Ln 12. And 
further, Gleichauf discloses the possibly of visual representation see Fig. 3 item 
64, thus the inclusion of a building a graph would be reasonable successful. 

14. Regarding Claim 2, 3, and 4, 22, Gleichauf does not disclose a vector-based 
correlation process that correlates suspicious parameters and determines 
existence of correlations of those parameters that can point to types of attacks 
and reduce dropping legitimate traffic . However, Maloney discloses the vector- 
based correlation process that correlates suspicious parameters and determines 
existence of correlations of those parameters that can point to types of attacks 
and reduce dropping legitimate traffic see Col 6 Ln 63-Col 7 Ln 1 1. It would be 
obvious to one having ordinary skill in the art at the time of the invention to 
include a correlation process that correlates suspicious parameters and 
determines existence of correlations of those parameters that can point to types 
of attacks in the invention of Gleichauf in order to a precise relationship and to 
differentiate between legitimate traffic as taught in Maloney see Col 7 Ln 7-1 1 . 

15. Regarding Claim 5, Gleichauf discloses the aggregate filtering see Col 1 Ln 23- 

31. 
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16. Regarding Claim 6 and 18, Gleichauf discloses the parameters including a 
source IP protocol, IP length, TCP/UDP ports see Col 6 Ln 24-35. 

1 7. Regarding Claim 1 9, Gleichauf discloses the data collector see Fig. 2 item 36. 

18. Regarding Claim 20, Gleichauf discloses the process being executed on a 
gateway see Fig. 2 item 20. 

19. Regarding Claim 28-31 and 32, Gleichauf discloses a detection process to 
determine to if the parameter has exceeded normal values see Col 8 Ln 46- Col 
9 Ln 3; the filtering process based on the characteristic and being incorporated in 
a firewall, router, and ID system see Col 1 Ln 22-31 & Col 4 Ln 33-39. Gleichauf 
does not disclose a process of building an graph to and to classify the attack. 
However, Maloney discloses the building of graph and the classifying of the 
attack see Col 10 Ln 37-45. It would be obvious to one having ordinary skill in the 
art at the time of the invention to include the building of graph and the classifying 
of the attack in the invention of Gleichauf in order to allow the systems 
administrator to take appropriate measures as taught in Maloney see Col 7 Ln 
40-Col 8 Ln 12. And further, Gleichauf discloses the possibly of visual 
representation see Fig. 3 item 64, thus the inclusion of a building a graph would 
be reasonable successful. 
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20. Regarding Claim 33, 34, 35, and 36, Gleichauf discloses the communicating 
statistics to a control center, the gateway being deployed in the network and 
filtering occurs on nearby routers see Fig. 1 item 5, Fig. 2 item 20, Fig. 2 item 16 
and 32. 

21 . Regarding Claim 37-38, Gleichauf discloses a detection process to determine to 
if the parameter has exceeded normal values see Col 8 Ln 46- Col 9 Ln 3; the 
filtering process based on the characteristic and being incorporated in a firewall, 
router, and ID system see Col 1 Ln 22-31 & Col 4 Ln 33-39. Gleichauf does not 
disclose a process of building an graph to and to classify the attack. However, 
Maloney discloses the building of graph and the classifying of the attack see Col 
10 Ln 37-45. It would be obvious to one having ordinary skill in the art at the time 
of the invention to include the building of graph and the classifying of the attack in 
the invention of Gleichauf in order to allow the systems administrator to take 
appropriate measures as taught in Maloney see Col 7 Ln 40-Col 8 Ln 12. And 
further, Gleichauf discloses the possibly of visual representation see Fig. 3 item 
64, thus the inclusion of a building a graph would be reasonable successful. 
Gleichauf does not disclose a vector-based correlation process that correlates 
suspicious parameters and determines existence of correlations of those 
parameters that can point to types of attacks and reduce dropping legitimate 
traffic . However, Maloney discloses the vector-based correlation process that 
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correlates suspicious parameters and determines existence of correlations of 
those parameters that can point to types of attacks and reduce dropping 
legitimate traffic see Col 6 Ln 63-Col 7 Ln 11 It would be obvious to one having 
ordinary skill in the art at the time of the invention to include a correlation process 
that correlates suspicious parameters and determines existence of correlations of 
those parameters that can point to types of attacks in the invention of Gleichauf 
in order to a precise relationship and to differentiate between legitimate traffic as 
taught in Maloney see Col 7 Ln 7-1 1 . 



22. Claim 25 rejected under 35 U.S.C. 103(a) as being unpatentable over U.S. 
Patent 6,304,262 B1 to Maloney et al. (hereinafter Maloney) in view of U.S. 
Patent 6,301,668 B1 to Gleichauf et al.(hereinafter Gleichauf). 



23. Regarding Claim 25, Maloney does not discloses the installing filters on routers, 
having data collectors, and parameters. However, Gleichauf discloses the 
installing of filters on routers see Col 4 Ln 33-39. Gleichauf discloses the data 
collector see Fig. 2 item 36. And further, Gleichauf discloses the parameters 
including a source IP protocol, IP length, TCP/UDP ports see Col 6 Ln 24-35. It 
would be obvious to one having ordinary skill in the art at the time of the 
invention to include installing filters on routers in the invention of Maloney in 
order to increase security as taught in Gleichauf see Col 4 Ln 33-39. 
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Allowable Subject Matter 

24. Claims 8-17, 22-24, 39-40 objected to as being dependent upon a rejected base 
claim, but would be allowable if rewritten in independent form including all of the 
limitations of the base claim and any intervening claims. 

Conclusion 

25. THIS ACTION IS MADE FINAL Applicant is reminded of the extension of time 
policy as set forth in 37 CFR 1 .136(a). A shortened statutory period for reply to 
this final action is set to expire THREE MONTHS from the mailing date of this 
action. In the event a first reply is filed within TWO MONTHS of the mailing date 
of this final action and the advisory action is not mailed until after the end of the 
THREE-MONTH shortened statutory period, then the shortened statutory period 
will expire on the date the advisory action is mailed, and any extension fee 
pursuant to 37 CFR 1 .136(a) will be calculated from the mailing date of the 
advisory action. In no event, however, will the statutory period for reply expire 
later than SIX MONTHS from the mailing date of this final action. 

26. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Venkatanarayanan Perungavoor whose 
telephone number is 571-272-7213. The examiner can normally be reached on 
8-4:30. If attempts to reach the examiner by telephone are unsuccessful, the 
examiner's supervisor, Gilberto Barron can be reached on 571-272-3799. The 
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fax phone number for the organization where this application or proceeding is 
assigned is 571-273-8300. 

27. Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR 
only. For more information about the PAIR system, see http://pair- 
direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll- 
free). 
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